[00:05.910 --> 00:12.690]  Welcome to Space Security Challenge 2020, HackASAT, the final event. As the democratization
[00:12.690 --> 00:18.150]  of space opens up a new frontier for exploration and innovation, we see new cybersecurity
[00:18.150 --> 00:24.790]  vulnerabilities emerging. The Space Security Challenge is designed to inspire the world's
[00:24.790 --> 00:30.490]  top cybersecurity talent to develop the skills necessary to secure this last frontier of
[00:30.490 --> 00:38.030]  cybersecurity, space. And already we've made a ton of progress. I'll catch you up. This
[00:38.030 --> 00:42.850]  spring, we hosted over 2,000 teams who worked their way through a set of foundational space
[00:42.850 --> 00:48.750]  cybersecurity challenges in our HackASAT qualification round. Now, eight finalist
[00:48.750 --> 00:54.500]  teams are stepping up to the ultimate challenge. They are hacking a satellite.
[01:01.120 --> 01:06.660]  Welcome to the first of two daily recaps for the Space Security Challenge 2020, or HackASAT.
[01:06.660 --> 01:13.360]  I'm still your host, Jordan Wines. As our eight teams have been vying for a share of a $100,000
[01:13.360 --> 01:18.520]  prize pool, we're going to check in and summarize the status of the day. Of course, they also
[01:18.520 --> 01:25.300]  received $15,000 just to get here as a finalist. The competition for that was fierce. Our finalists
[01:25.300 --> 01:31.400]  beat out over 2,000 other teams made up of over 6,000 other competitors. Of course, the biggest
[01:31.400 --> 01:36.360]  prize of all might not even be the money or even the friends we made along the way, but the bragging
[01:36.360 --> 01:40.480]  rights for your code to be selected to take an actual photograph of the moon from a satellite
[01:40.480 --> 01:46.200]  in space. While this event was originally planned to be in person during DEF CON in the aerospace
[01:46.200 --> 01:51.720]  village, the global pandemic has caused us to reimagine the event experience. The result is an
[01:51.720 --> 01:55.900]  immersive 3D environment where you can stay up to date with the competition while learning all about
[01:55.900 --> 02:00.580]  space security and the event itself. You can connect with other spectators and even play games
[02:00.580 --> 02:05.400]  and add to our graffiti wall. So if you aren't already watching this from our immersive 3D
[02:05.400 --> 02:12.400]  environment, check it out at virtual.hackasat.com. As prior DEF CON attendees, some of you are very
[02:12.400 --> 02:17.740]  familiar with the many flavors of contests that test your hacking skills. But for others, we
[02:17.740 --> 02:22.800]  realize this is a whole new world. There are many types of hacking contests and Hackasat falls
[02:22.800 --> 02:31.800]  into the category of capture the flag or CTF. Remember the game you played as a kid with flags
[02:31.800 --> 02:37.540]  hidden in opponent's terrain? Now imagine the field or code and the flags are secret data.
[02:37.540 --> 02:42.080]  Players exploit security flaws to capture the flags while at the same time defending their
[02:42.080 --> 02:48.040]  networks from opposing teams. These capture the flag CTF events are as diverse as the teams that
[02:48.040 --> 02:53.900]  play them. This is a global competitive community with thousands of players and global rankings.
[02:53.900 --> 02:59.660]  It's been a part of the origin story for a great many prominent security experts. So what do these
[02:59.660 --> 03:05.360]  hacking games look like? CTFs can be either in person or online and usually take place over a
[03:05.360 --> 03:10.440]  weekend or other short period. They often have a qualification round that determines who gets to
[03:10.440 --> 03:15.640]  participate in the finals. CTFs are sometimes themed around a specific domain like space for
[03:16.220 --> 03:21.100]  but more commonly they are not specialized and include a wide variety of different types of
[03:21.100 --> 03:28.440]  challenges. The most common types of CTFs include Jeopardy CTFs, sometimes called red team CTFs,
[03:28.440 --> 03:33.140]  are named for their use of the classic game board as a scoreboard. These are more offensive focused.
[03:33.140 --> 03:38.120]  Each team is given infrastructure to attack and the number of successful attacks, the difficulty,
[03:38.120 --> 03:43.480]  or the speed at which they succeed is factored into their score. Attack defense, A slash D,
[03:43.480 --> 03:48.340]  full spectrum CTFs, which are closer to the original game you might have played as a kid.
[03:48.340 --> 03:53.600]  Each team has a server or set of servers to defend and must attack other teams while also protecting
[03:53.600 --> 03:59.140]  their own infrastructure. Key of the Hill style CTFs are full spectrum CTFs in which teams score
[03:59.140 --> 04:04.780]  points by gaining and maintaining control of individual systems. And finally, the less common
[04:04.780 --> 04:10.540]  blue team exercises, which are primarily defensive events. Game organizers host an environment and
[04:10.540 --> 04:14.800]  often a professional team of attackers to test the participants defensive skills.
[04:14.800 --> 04:18.880]  These are more common in the high school and collegiate level. How do you win?
[04:18.940 --> 04:23.920]  Even though the goal of the CTFs are to find and exploit vulnerabilities in computer systems,
[04:23.920 --> 04:28.820]  fair play is essential. There are lots of ways to win, but to get the respect of your peers,
[04:28.820 --> 04:33.680]  you need to have good technical solutions. Nobody is impressed if you use a network flood to knock
[04:33.680 --> 04:38.020]  the scoreboard offline and those kinds of shenanigans will get you shunned quickly.
[04:38.020 --> 04:43.080]  The best CTF players have built specialized tools, practice within their domains and include
[04:43.080 --> 04:50.720]  domain experts in many aspects of security. Why CTF? At their core, CTF challenges are a way for
[04:50.720 --> 04:55.120]  hackers to build community and demonstrate and hone their skills with other equally skilled
[04:55.120 --> 04:59.360]  people. Competitions are also a chance to experience the joy of learning about a new
[04:59.360 --> 05:04.340]  programming language or a new piece of technology hackers haven't used before. Capture the Flag
[05:04.340 --> 05:08.680]  challenges have also been used to help train cybersecurity teams and to get new hackers
[05:08.680 --> 05:14.440]  interested in security research. Some companies even use competitions similar to CTFs to recruit
[05:14.440 --> 05:19.840]  and vet potential candidates for employment. And CTFs have had real-world impact with competitors
[05:19.840 --> 05:24.940]  finding actual security flaws in contest infrastructure. Their solutions, while not
[05:24.940 --> 05:29.760]  counting towards winning the game, are often implemented in a real-world context. With
[05:29.760 --> 05:34.880]  HackASAT, we have a CTF game designed to raise awareness about cybersecurity issues in space
[05:34.880 --> 05:39.700]  and help researchers develop specific skills and domain knowledge they'll need to help secure this
[05:39.700 --> 05:44.800]  new frontier. But as many of the players during our quals round found out, there are a lot of
[05:44.800 --> 05:49.840]  problems unique to the environments outside our atmosphere. To learn more about hacking in space,
[05:49.840 --> 05:55.260]  check out our Space Talk videos that explain some of the most interesting space-specific challenges.
[05:56.460 --> 06:01.460]  For more on CTFs and other hacking and space-related topics, go to the research room in the virtual
[06:01.460 --> 06:07.380]  environment or check out the related YouTube playlist. Okay, let's go ahead and recap the whole
[06:07.380 --> 06:18.890]  day so far. The game has actually been underway for one hour now, and our team's first challenge
[06:18.890 --> 06:23.550]  has been to regain control of the ground station that they'll be using to communicate with their
[06:23.550 --> 06:29.490]  Flatsats. In fact, just before this broadcast went live, we received word that this challenge
[06:29.490 --> 06:35.630]  was actually solved by Team Samurai. Congratulations to them! Right after our last update ended with
[06:35.630 --> 06:40.310]  only a Samurai solve, several other teams came in with solutions for Challenge Zero.
[06:40.510 --> 06:47.150]  PFS and Solarwine were solvers 2 and 3 on that challenge. After those two teams scored on
[06:47.150 --> 06:51.230]  Challenge Zero, every other team was eventually able to solve Challenge Zero over the next several
[06:51.230 --> 06:56.910]  hours. Taking a look at the scoreboard so far, we've had an eventful last hour. Our teams continue
[06:56.910 --> 07:01.690]  to make progress, with four teams now having solved Challenge One. Unfortunately, the window
[07:01.690 --> 07:06.550]  of time after first solve has expired, and the remaining four teams were given a solution with
[07:06.550 --> 07:14.650]  no points. PFS and Colon Can Into Space were joined by 1553 and 1064 Seabred with solutions for
[07:14.650 --> 07:20.610]  Challenge One. Now, this was going to be where I signed off with this update, but as we were live,
[07:20.610 --> 07:25.470]  PFS actually jumped up on the scoreboard yet again, solving Challenge Two.
[07:31.310 --> 07:35.630]  You may have noticed that first blood overlay and sound effect in that summary. While it was
[07:35.630 --> 07:39.790]  originally used in Unreal Tournament to indicate a kill, the phrase and even sometimes the sound
[07:39.790 --> 07:44.710]  effects are often used in CTF competitions to indicate the first team to solve a particular
[07:44.710 --> 07:52.390]  challenge. The challenges that teams have solved so far include a Challenge Zero, which required
[07:52.390 --> 07:57.110]  exploiting an insecure web application to steal credentials for the ground station controller,
[07:57.110 --> 08:00.610]  and then using that Cosmos ground station, the teams had to restore communication
[08:00.610 --> 08:04.530]  with their flatsats as they were tumbling and not communicating well.
[08:04.830 --> 08:11.490]  The Challenge One involved connecting to the ground station, turning up the power,
[08:11.490 --> 08:15.490]  turning down the bandwidth, which is very much a real-world troubleshooting step.
[08:15.630 --> 08:20.010]  Next, the teams have to restore proper orientation control over their flatsat,
[08:20.010 --> 08:25.430]  but only one team so far has managed to accomplish this feat. That brings us to what's happened in
[08:25.430 --> 08:30.650]  the last two hours of the competition. Most teams are now working on two or three challenges,
[08:30.650 --> 08:34.210]  the On-Orbit Challenge, Challenge Two, and Challenge Three.
[08:36.590 --> 08:41.450]  PFS has been pulling away to a healthy lead that is going to be hard to catch up to tomorrow.
[08:41.510 --> 08:47.050]  Hard, but definitely not impossible. All it takes is for them to get stuck in a problem and be passed
[08:47.050 --> 08:52.930]  in turn, much like they did to Samurai at the start of the game. It's also interesting to note
[08:52.930 --> 08:58.790]  that PFS, which is actually short for Pwn First Search and Pull in Can Into Space, are number one
[08:58.790 --> 09:04.050]  and number two on the leaderboard, are two of the smallest teams in the competition. Having a large
[09:04.050 --> 09:08.690]  team is sometimes an advantage, but it definitely comes with logistical issues, and in this case,
[09:08.690 --> 09:14.810]  where the challenges are serial in nature, it isn't always helpful. Let's take a look again
[09:14.810 --> 09:48.890]  at the PFS team bio. If you were here with us live, you might remember that right in the middle
[09:48.890 --> 09:53.510]  of teams working on their challenges at around 12 p.m pacific, all teams had to stop what they
[09:53.510 --> 10:01.690]  were doing and shift focus to the on-orbit challenge. Stop everything and look up. Starting
[10:01.690 --> 10:07.670]  now, teams shift to the on-orbit challenge. Their primary goal is to capture a picture of the moon
[10:07.670 --> 10:13.150]  using the satellite. Competitors will have access to the two-line element of the vehicle
[10:13.150 --> 10:18.410]  and the camera's foresight vector. Each team is tasked with creating a mission plan that
[10:18.410 --> 10:23.370]  transitions a satellite from a tumbling state to one where it points the camera at the moon.
[10:24.170 --> 10:29.430]  The team will reach a successful status once their resulting mission plan meets key criteria.
[10:29.870 --> 10:35.050]  1. The commands are generated in the correct order and are within the specified period.
[10:35.350 --> 10:39.870]  2. The image capture angle of the moon is within specifications.
[10:40.310 --> 10:45.710]  3. The team's negative z-axis is pointed as close to the earth's center as possible
[10:45.710 --> 10:48.810]  without affecting the camera-to-moon pointing error.
[10:49.210 --> 10:53.250]  4. The teams are given a command dictionary with the format for submitting the commands
[10:53.250 --> 11:03.250]  and parameters. The rest is up to them. Of course, while PFS is currently in the lead,
[11:03.250 --> 11:08.110]  they still have a critical problem to solve, specifically the on-orbit challenge. While
[11:08.110 --> 11:12.190]  Poland Cannon to Space is only nipping at their heels at number two on the scoreboard,
[11:12.190 --> 11:16.670]  they are critically not only the first team with an attempted solution to their on-orbit challenge,
[11:16.670 --> 11:21.990]  but the first with an accepted solution. That would mean that they would be able to pass PFS
[11:21.990 --> 11:27.450]  if PFS is not able to actually solve, because again, that is a pass-fail challenge, and it
[11:27.450 --> 11:31.290]  will be critical to see what happens in the last few minutes of gameplay today, as well as tomorrow
[11:31.290 --> 11:36.390]  in the on-orbit challenge. Now that the day is wrapping up, hopefully some of the organizers
[11:36.390 --> 11:41.090]  have a little bit more time, so we're going to see if we can bring into video chat Vito Genovese,
[11:41.090 --> 11:45.470]  who many of you may recognize from his time as a member of LegitBS, the team that organized the
[11:45.470 --> 11:50.770]  DEFCON CTF for five years prior to the current organizers, The Order of the Overflow. Vito is
[11:50.770 --> 11:55.510]  also currently with Chromulence, the creators of the flatsats and many of the challenges in Hackasat.
[11:55.630 --> 12:01.310]  Vito, can you hear me? Are you there? Yes, loud and clear. Good evening. Excellent. Glad we got
[12:01.310 --> 12:05.130]  you. Thanks for stopping by. I know you guys have been very, very busy kind of manning the systems
[12:05.130 --> 12:12.630]  and talking to the teams. How's the game going so far? It's been going. We've kind of had some,
[12:12.630 --> 12:19.550]  the flatsats are small run hardware, which always has issues, but we're super, super thankful the
[12:19.550 --> 12:22.910]  teams are being patient with us and they're putting up a good fight and making really,
[12:22.910 --> 12:29.810]  really good progress in the game. Is this pacing what you expected? Speaking of how they're kind
[12:29.810 --> 12:33.170]  of doing, is this about where you thought they would be or you wanted them to be or how does
[12:33.170 --> 12:38.570]  this fit with your expectations? It's really hard to set expectations for these games. A lot of it
[12:38.570 --> 12:42.770]  is, you know, throwing stuff around. We can't even be in the same room doodling on a whiteboard
[12:42.770 --> 12:49.410]  while we do it. So, you know, the expectations are not necessarily what's been happening,
[12:49.410 --> 12:55.270]  but we'll survive. It's a difficult game and, you know, we'll see what happens tomorrow.
[12:55.610 --> 12:59.330]  And it, I mean, it does seem like that if they're made good progress up to here,
[12:59.330 --> 13:02.730]  they could have been a lot further behind. It would be nice to see them maybe a challenge ahead,
[13:02.730 --> 13:06.750]  but this is certainly within reach, right? Like there's nothing kind of too crazy about what they
[13:06.750 --> 13:10.450]  have remaining. This could be doable. And these, we know these are good teams that are capable of
[13:10.450 --> 13:16.810]  more, it seems like, right? Right, yeah, absolutely. The, you know, challenges zero, challenges one,
[13:16.810 --> 13:21.190]  they're hard challenges and the teams that took time on them, they still took time on them. They
[13:21.190 --> 13:25.970]  did make progress and they did get through eventually. It's, you know, admirable work and
[13:25.970 --> 13:31.130]  it's, you know, it's a difficult time for everybody involved. Now, do you miss actually being in Vegas
[13:31.130 --> 13:35.470]  and going to DEF CON or you actually kind of prefer being remote? What's your take on that?
[13:35.890 --> 13:41.070]  Absolutely miss it. You know, my, my favorite restaurant in Vegas, I miss, or my favorite
[13:41.070 --> 13:45.650]  restaurants plural in Vegas. I miss that. I miss seeing my friends. I miss wearing my, you know,
[13:45.650 --> 13:52.270]  special DEF CON shoes, which are behind me on the shelf. They're not in frame yet, but you know,
[13:52.270 --> 13:55.170]  it's, it's better than getting really, really sick, I guess.
[13:55.770 --> 14:00.030]  Given the alternative. Yeah. We're all kind of doing what, doing what we can and should there.
[14:00.030 --> 14:04.590]  In fact, even you were originally supposed to be on stream with me and we just thought for,
[14:04.590 --> 14:08.850]  that we would, we would do this via zoom and we'd be able to work it out that way. So thanks for,
[14:09.330 --> 14:13.510]  for doing that. Tell me a little bit more about the rationale behind the scoring algorithm
[14:13.510 --> 14:17.790]  and the game design, this, this decay and the kind of the grace window, what,
[14:17.790 --> 14:21.190]  what design constraints went into that, that decision?
[14:22.010 --> 14:26.250]  Okay. So the main design constraint with this is it's a very linear catch the flag game.
[14:27.290 --> 14:31.450]  So what's, what has to happen is we're trying to get teams to take over this,
[14:31.450 --> 14:35.350]  regain control of this, you know, tumbling satellite lost in space.
[14:35.370 --> 14:40.630]  And that is a complicated operation. And instead of just having, you know, one single,
[14:40.630 --> 14:44.090]  you know, you get this chunk of points, if you win the game, we split it up into different
[14:44.090 --> 14:48.670]  little gates that teams have to pass through. So, you know, challenge zero or the first gate
[14:48.670 --> 14:53.230]  is getting control of the, of a machine in the ground station. Challenge one after that
[14:53.230 --> 14:56.530]  is being able to actually talk and receive messages with the satellite.
[14:56.630 --> 15:01.130]  So we had to split this up in order to keep, you know, make the game actually have points
[15:01.130 --> 15:06.190]  before you get to the end. And at the same time, in order to make the points actually meaningful,
[15:06.190 --> 15:09.270]  we wanted to make sure there was some time pressure for teams to go quickly
[15:09.270 --> 15:14.810]  and make progress throughout the whole weekend. So we have this kind of decay system implemented.
[15:15.070 --> 15:18.450]  So each challenge is worth a fixed number of points at the beginning.
[15:18.530 --> 15:22.990]  And as soon as the team solves it the first time, the clock starts ticking.
[15:23.070 --> 15:27.390]  So within that first 30 minutes, anybody else who solves that challenge is also going to get
[15:27.390 --> 15:32.290]  the full points. For challenge zero, that would be 50 points. For challenge two, or for challenge one,
[15:32.290 --> 15:37.910]  that was 200 points. Beyond that, after that first 30 minutes, we have another two-hour interval
[15:37.910 --> 15:44.230]  where that point amount starts gradually ticking down towards zero. Once it's hit zero, we don't
[15:44.230 --> 15:48.290]  award points for it. And at that point, it also means that we share hints to, you know, nudge
[15:48.290 --> 15:52.870]  teams along to get them to the next phase of the competition. And that's one of the advantages,
[15:52.870 --> 15:56.870]  I think, is that, you know, a team, if they happen to get stuck on one particular problem,
[15:56.870 --> 16:01.490]  in a serial event in particular, there's just not much you can do, in fairness to the other teams,
[16:01.490 --> 16:04.970]  in terms of, you know, kind of, you don't want to give a team a hint just because they're behind,
[16:04.970 --> 16:08.590]  because that actually hurts them. But by having the score drop off in a point at which they have
[16:08.590 --> 16:12.090]  to be done or else they're just given a hint, well, then they've lost all the points for it.
[16:12.090 --> 16:16.170]  And so it keeps them up with the game while not punishing the teams that do well. So that
[16:16.170 --> 16:20.930]  makes a lot of sense. If you had a favorite challenge, what's the number? And if it's one we
[16:20.930 --> 16:26.430]  haven't seen yet, like, no spoilers, of course, but what do you like best? So it's honestly, for me,
[16:26.430 --> 16:30.870]  it's probably challenge one, which is kind of where the game starts to diverge from a normal
[16:30.870 --> 16:34.970]  capture the flag contest. With challenge zero, we had a web app that teams had to,
[16:34.970 --> 16:38.210]  I think, determine a cookie secret in. And that's very...
[16:41.810 --> 16:46.670]  Challenge one is where we start to diverge. That's where we have to, once we've gotten
[16:46.670 --> 16:52.350]  into the ground station and are able to talk to the, you know, satellite control system Cosmos,
[16:52.350 --> 16:56.570]  that's where teams have to figure out how to turn telemetry on on the satellite,
[16:56.570 --> 17:00.570]  because it's not, you know, just another machine on the network with an IP address,
[17:00.570 --> 17:05.910]  and where teams have to figure out how to tell the satellite's radio to configure itself in a way
[17:05.910 --> 17:10.030]  that it's actually functional for the rest of the game, for sending messages back and forth.
[17:10.030 --> 17:14.650]  I saw a great quote go over the team communication channel from the organizers that said,
[17:16.090 --> 17:20.490]  these are not like traditional network devices. And if you think sending, you know, two requests
[17:20.610 --> 17:24.490]  a second, you know, will get you more reliability the way you would in a normal network,
[17:24.490 --> 17:28.870]  that may be counterproductive here, which I thought was a great kind of nod towards the,
[17:28.870 --> 17:32.390]  yeah, there's some different constraints and different concerns that maybe, you know, are
[17:32.390 --> 17:37.650]  not the folks first instincts are accurate on, given the environment. So that makes a lot of
[17:37.650 --> 17:43.750]  sense. Yeah, absolutely. It's a satellite is, in some senses, it is, you know, still a computer.
[17:43.930 --> 17:48.310]  But the problem is, is it's a computer that costs millions and millions of dollars to,
[17:48.310 --> 17:50.790]  you know, install and it costs, you know, billions of...
[17:52.570 --> 17:56.090]  No, I think we might've lost you a little bit there for some network. Oh, you're back now.
[17:56.090 --> 18:01.150]  Go ahead. Yeah. Okay. Yeah. It costs, you know, millions to, you know, put it in place in the
[18:01.150 --> 18:05.190]  first place. And it costs billions to send somebody up there to push a button to restart it.
[18:05.790 --> 18:11.150]  Beyond that, it's, you know, a computer that you only talk to an RF and it's moving in a way that
[18:11.610 --> 18:15.570]  whatever you can see it, you can probably talk to it, but there's a lot of time from any given
[18:15.570 --> 18:20.350]  ground station where you can't see it at all. And that's a very unique challenge.
[18:21.350 --> 18:25.850]  Vito, thank you very much for both your work on the game and for taking some time to talk to us
[18:25.850 --> 18:29.650]  tonight. Look forward to seeing how the teams do tomorrow and look forward to talking to some more
[18:29.650 --> 18:38.650]  as we see their progress. Excellent. Thanks. Take care. Take care. That's it for this first day of
[18:38.650 --> 18:43.470]  the Space Security Challenge 2020 or HackASET final event. Overnight, we'll be taking our
[18:43.470 --> 18:48.210]  FlatSats offline so they can get a good rest, aka, have their batteries charged, and so the
[18:48.210 --> 18:53.070]  competition organizers can recharge their batteries, aka, have a good night's rest. Of
[18:53.070 --> 18:56.930]  course, in addition to sleep, the teams will need to continue working on some of the components
[18:56.930 --> 19:02.250]  in between game shutdown and game start tomorrow morning at 7 a.m. Pacific and 10 a.m. Eastern.
[19:02.250 --> 19:06.970]  They've actually been given a firmware image that will help them for the upcoming Challenge 3.
[19:07.630 --> 19:11.790]  Thanks for spending your day with us. Make sure to check out the rest of what's happening at
[19:11.790 --> 19:16.650]  DEFCON, the Aerospace Village, and our Aerospace Workshops. And I look forward to seeing you all
[19:16.650 --> 19:20.850]  tomorrow morning at 9 a.m. Pacific, 12 p.m. Eastern for our next game update.
